Cyber Update

Adobe, Microsoft Push Critical Security Fixes: It’s Patch Tuesday, again. That is, if you run Microsoft Windows or Adobe products. Microsoft issued a dozen patch bundles to fix at least 54 security flaws in Windows and associated software. Separately, Adobe’s got a new version of its Flash Player available that addresses at least three vulnerabilities. KrebsOnSecurity, July 11, 2017

Cyber Defense

Keep security in mind on your summer vacation: When you travel, there probably are a few must-haves in your suitcase: your toothbrush, deodorant, socks, shoes – you get the idea. But one travel must-have we don’t always think about is security. While you’re away from home, you might be using public Wi-Fi, tagging your locations (whether or not you realize it), carrying around your passport, and using your credit card more often. Those things could put you at a higher risk of identity theft. Federal Trade Commission, Consumer Information, July 13, 2017

Information Security Management in the Organization

Information Security Management and Governance

Beyond Breach Notification: Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach. California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”). As these laws developed, a tandem requirement has emerged: the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data. Robert Braun, SecureTheVillage Leadership Council, Jeffer Mangels Butler & Mitchell Cybersecurity Lawyer Forum, July 7, 2017

Cyber Awareness

How to Avoid Being the Weakest Link in Your Company’s Information Security: When you think of hackers, you probably think of some spy movie where they come down from the ceiling to steal a computer off of a desk and then whisk it away to their laboratory where they input lines of code to crack the encryption. In reality, hacking is often as simple as learning about a user and then guessing their password or even asking them for it: a process called social engineering. INC, July 13, 2017

Using Feedback Loops to Enhance End User Security: The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines. SecurityIntellegicen, August 9, 2017

Cyber Warning

Darkweb Hackers Begin Offering Functional Mac Malware and Ransomware as a Service: With the popularity of both ransomware and the creation of macOS malware on the rise with hackers, Apple users face a growing number of threats. It now appears that others have turned their attention to the creation of new malware to spy on Mac users — but these programmers have gone a step further. Rather than developing a tool and deploying it personally, they have taken to the dark web to offer their products for sale. Known respectively as MacSpy and MacRansom, the hackers provide the malware to users while operating a centralized web portal. The authors’ continued involvement is why this threat is often called malware- or “ransomware-as-a-service.” SecureMac, June 29, 2017

IT is NOT Cybersecurity: Having IT isn’t enough anymore, businesses need a separate security team also. Policemen and firefighters are a good examples of this, both of them will help you in your time of need, but each of them has very specific training for specific functions. CSO, July 11, 2017

Cyber Security in Society

Cyber Crime

Half-Year Roundup: The Top Five Data Breaches of 2017 — So Far: Data breaches aren’t slowing down. If anything, they’re set to break last year’s record pace. As noted by 24/7 Wall Street, the 758 breaches reported this year mark nearly a 30 percent increase from 2016. If cybercriminals keep it up, the total number of attacks could break 1,500 by the end of 2017. SecurityIntelligence, July 13, 2017

Self-Service Food Kiosk Vendor Avanti Hacked: Avanti Markets, a company whose self-service payment kiosks sit beside shelves of snacks and drinks in thousands of corporate breakrooms across America, has suffered of breach of its internal networks in which hackers were able to push malicious software out to those payment devices, the company has acknowledged. The breach may have jeopardized customer credit card accounts as well as biometric data, Avanti warned. KrebsOnSecurity, July 8, 2017

Governors ask Congress to create cybersecurity committee: The leadership of the National Governors Association, including incoming chairman Gov. Brian Sandoval, repeated a plea to Congress on Friday to create a national committee to address cybersecurity threats. Las Vegas Review Journal, July 14, 2017

Stewart Baker interviews DSB’s Jim Miller re cyber conflict & deterrence: In this episode, we interview Jim Miller, co-chair of a Defense Science Board panel that reported on how the US is postured for cyberconflict and the importance of deterrence. The short answer: deterring cyberconflict is important because our strategic cyberconflict posture sucks. The DSB report is thoughtful, detailed, and troubling. Jim Miller manages to convey its message with grace, good humor, and clarity. Steptoe Cyberblog, July 10, 2017

Stewart Baker interviews ex-NSA Deputy Director Richard Ledgett: Today we deliver the second half of our bifurcated holiday podcast with an interview of Richard Ledgett, recently retired from his tour as NSA’s deputy director. We cover much recent history, from Putin’s election adventurism to questions about whether NSA can keep control of the cyberweapons it develops. Along the way, Rick talks about the difference between CIA and NSA approaches to hacking, the rise of NSA as an intelligence analysis force, the growing effort to keep Kaspersky products out of sensitive systems, and the divergence among intel agencies about whether Putin’s attack on the American election was intended mainly to hurt Hillary Clinton or to help Donald Trump. Steptoe Cyberblog, July 5, 2017

Financial Cyber Security

Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’: A greater number of ATM skimming incidents now involve so-called “insert skimmers,” wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers — which record card data and store it on a tiny embedded flash drive — are equipped with technology allowing them to transmit stolen card data wirelessly via infrared, the same communications technology that powers a TV remote control. KrebsOnSecurity, July 13, 2017

HIPAA

HIPAA: Five Steps to Ensuring Your Risk Assessment Complies with OCR Guidelines: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and healthcare technology have changed significantly over the past 20 years. Covered entities and their business associates face an ever-evolving risk environment in which they must protect electronic protected health information (ePHI). Although healthcare security budgets may increase this year, the cost of implementing and maintaining adequate security controls to protect an entity’s ePHI far exceeds what is often budgeted. As a result, some ePHI may be under-protected and vulnerable to data breach. A long-term, consistent and cost-conscious approach to HIPAA compliance is needed. healthcare informatics, July 14, 2017

Critical Infrastructure

Your Guide to Russia’s Infrastructure Hacking Teams: Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits. Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cybercriminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years. WIRED, July 12, 2017

Combating a Real Threat to Election Integrity: Russia’s meddling in the 2016 election may not have altered the outcome of any races, but it showed that America’s voting system is far more vulnerable to attack than most people realized. Whether the attackers are hostile nations like Russia (which could well try it again even though President Trump has raised the issue with President Vladimir Putin of Russia) or hostile groups like ISIS, the threat is very real. The New York Times, July 8, 2017

Internet of Things

The Threat From Weaponized IoT Devices: It’s Bigger Than You Think!: IoT devices, such as smart meters, smart watches and building automation systems, are prolific. You may think that compromised IoT devices pose a danger only to the devices’ owners — for example, it’s easy to understand the privacy violation of an attacker viewing a web camera feed without the owner’s permission. SecurityIntelligence, July 20, 2016

Cyber Sunshine

Darknet Marketplace AlphaBay Offline Following Raids: A joint law enforcement investigation involving the United States, Canada and Thailand appears to have resulted in the takedown of the world’s largest darknet marketplace, called AlphaBay. Meanwhile, one of its alleged operators has been found dead in a Bangkok jail cell. BankInfoSecurity, July 14, 2017